With the 2020 general election only a month away, 18 activist organizations have demanded transparency from Amazon’s Web Services (AWS) on at least three cloud security breaches involving voter data from dozens of states and agencies to which it supplies election services.
AWS has reportedly blamed the leaks, which Reuters reported last year, on user error and not its cloud infrastructure. But the activists want more information about the data exposures, such as scale and response, than the cloud platform provider has let loose. Still, it’s not unreasonable for Amazon to point to operator error for the data exposures. While AWS is responsible for securing its cloud, it’s on customers, many of whom lack the skills to and training to avoid making configuration errors, to secure their own data buckets.
In the 2016 election’s wake, at a time when voting officials were under extreme pressure to lock down the country’s election infrastructure from cyber attacks by adversaries, AWS began quietly pushing into the election data business. The strategy grew to include running party websites, compiling voter registration and ballot information, and helping to provide live election-day coverage, Reuters has previously reported. AWS also reportedly provides cloud services to both primary political parties, the Federal Election Commission (FEC) and other related organizations.
All told, AWS works with some 40 states and agencies but is not involved with voting on election day.
Along with housing and managing such sensitive data, however, has come security breaches about which AWS has offered little information, the activist organizations charge in an open letter to Amazon chief executive Jeff Bezos. The letter’s signees, which include associations such as Demand Progress, Fight for the Future, Media Alliance, RootsAction.org, Partnership for Working Families and The Surveillance Technology Oversight Project, demanded that Amazon “disclose all instances of security breaches related to election data, the implications of such breaches, and the actions it took to address them.”
Exposed critical data can be used by hackers to manipulate the 2020 elections, the organizations said in the letter. “Amazon needs to be transparent about their response to these breaches, so the public can evaluate the security of the election system and the steps Amazon is taking,” they said. “We know bad actors are looking for loopholes, like the cloud security compromises, that they can exploit to influence the outcome of our elections. Given the stakes, Amazon should be doing everything they can to secure our elections,” the letter reads. Putting the “onus” on users is “unacceptable,” the group said.
Still, the activists acknowledged that Amazon’s responsibility does not extend to customers’ data encryption practices but nonetheless maintain that “our election system is not an everyday customer, and the public needs transparency about security issues to assess the possible threats to our election system.”
Additional organizations endorsing the letter include AI Now Institute, Athena, Color of Change, Constitutional Alliance, Just Futures Law, Kairos Action, MediaJustice, MPower Change, Open Markets Institute, Secure Justice, Woodhull Freedom Foundation and X-Lab.